3 Incident Response Tips To Save You Time & Money

Monday, November 10, 2014By: Tom Sammel

The motto “be prepared” can easily apply to your organization’s ability to respond to cyber threats. Not only does its response impact brand image, but if not done properly, the impact can be quite costly. In the 2014 Cost of Data Breach Study: Global Analysis, by the Ponemon Institute, the average cost to a company in 2014 was $3.5 million, 15 percent more than what it cost in 2013.[i]

Information Security Incident Management

Dell SecureWorks Incident Response consultants not only help you through an information security breach, but they ensure you are prepared when one occurs. Based on our experience handling hundreds of incident response engagements throughout the last 12 months, we’ve identified three keys areas to address so your organization is ready for an investigation when advanced threat actors attack.

1. Have Proper Log Management Data for Incident Response

Do you have access to the log data you need to support your incident response plan?

Logs are a valuable source of information during the incident response process. Log management gives insight into the activity on systems and applications which can help determine the appropriate anatomy of a cyber-attack, and its impact with a higher degree of certainty.

If your access to logs is limited or if logs are missing, it is difficult to get a solid picture of the incident. Without log data, you have to rely on other forensic methods to determine the what, when, why, who, where and how of an incident.

Don't wait until you're in the middle of your incident response plan to learn you weren't logging sufficiently.

Ensure full and complete log collections are always available for critical business systems.

Know how long the logs are stored before they are overwritten. Understand the verbosity of logging levels to make sure the appropriate information is being logged to support incident response and forensic investigation.

Our experts recommend logs be maintained on the following systems at a minimum: Firewalls, IDS/IPS, DNS, VPN, Active Directory, Critical Servers/Systems, and Web Services. These logs should be retained for 13 months as a best practice.

2. Conduct Thorough Remediations to Remove All Threat Actors

After an incident, are you sure it is completely re-mediated?

A common problem we have seen is organizations experiencing a secondary malware outbreak after they thought they had purged all infected systems. Today's malware is stealthier than ever before, making it a challenge to confirm that all systems are truly clean after an incident.

It is not uncommon to see an infected server get wiped, re-imaged and redeployed, only to be infected again by the same malware a few days later or have the threat actor attempt another attack. Further investigation often reveals there is another infected machine on the network that was never detected during the initial incident response process.

It is essential to determine the full scope of an incident during the response process. Once you believe the incident is contained, you must do a thorough investigation to understand its full extent – including how the incident happened in the first place. Only then can you know what steps need to be taken to completely mitigate the incident, what to monitor post attack, and how to return systems to their proper state.

3. Identify Key People & Have Resources Ready

Do you have appropriate resources needed to adequately respond to an incident? How much does the incident response process rely on the presence of only a few individuals? Is the chain of command identified so all applicable parties are notified?

Incident response can be a very high-stress process, even if you have a well-defined plan. The process can take several days or weeks, with key individuals working nearly around the clock. Fueled by coffee and a deep understanding of the space, incident responders can work beyond their usual limits. It’s critical to ensure your team is adequately supported to avoid costly errors that result from exhaustion or lack of resources.

Burnout and fatigue can easily lead to lack of clarity, stale thinking, poor decision-making and a stalled sense of urgency. Keep a healthy bench of qualified resources that you can tap to pick up the process when you've reached your limit. Have a plan to hand-off responsibilities before responders reach their limits, minimizing the risk of making avoidable mistakes.

With cyber threats increasing and evolving, having a clear, detailed plan in place will help maintain your business and your brand.